[Freeipa-users] user keytab retrieval
Stijn De Weirdt
stijn.deweirdt at ugent.be
Thu Apr 6 20:18:36 UTC 2017
hi rob,
>> i'm a bit puzzled by the following: i want to retrieve a user keytab
>> using ipa-getkeytab -r (since the keytab for the same user was already
>> retrieved on another host).
>>
>> when doing so, i get
>>
>> Failed to parse result: Insufficient access rights
>>
>> however, i can get the keytab without the -r option.
>>
>> anyone care to explain what access rights are required (or why this
>> error occurs)?
>
> Being able to retrieve an existing key means being able to read it which
> isn't granted by default.
ok, but why is a "regular" ipa-getkeytab no problem?
>
> It depends on how you want to grant this access: to this one user, to
> all users, to groups, etc.
i only need to get the user keytab on a few machines; i could probably
scp it from one host to the other. but i assumed that ipa-getkeytab -r
would do the same.
>
> The attribute you want is ipaProtectedOperation;read_keys but use it
> very carefully because you are granting read access to keys.
ok, i'll try to read a bit more about it first.
stijn
More information about the Freeipa-users
mailing list